Field of the Invention
The present invention relates generally to defending Point of Sale computer systems against security breaches and, more particularly, to defending such systems against memory scraping spyware and other malware attacks.
Description of the Background Art
Point-of-sale (POS) systems are extremely critical components in any retail environment. These systems have evolved beyond simple cash registers into modern POS systems and they tend to be tied to a business's payment processing through networked PC based platforms which include Windows XP, Windows 7, Windows Embedded POS and Windows CE.
This poses a significant risk as these operating systems are already vulnerable to various exploits and malware online. Credit and debit card data theft is one of the most common forms of Cybercrime today.
Cybercrime gangs organize sophisticated operations to steal vast amounts of credit card track data before selling it in underground marketplaces. Criminals can use the data stolen track from a card's magnetic strip to create clone cards. It's a potentially lucrative business with individual cards selling for as little as five dollars.
There are several methods that attackers can deploy to steal this data. One option is to gain access to a database where card data is stored. Due to PCI standards over the past several years, this has forced hackers into other methods of card theft. Another option is to target the point at which a retailer first acquires that card data—the Windows Point of Sale (POS) system.
Modern POS systems are pre-configured Windows computers with sales software installed and are equipped with a card reader. Card data can be stolen by installing a device onto the card reader and personal identification number (PIN) pad which can read the data off the card's magnetic strip and possibly compromise the card holder PIN. This is a process commonly known as “skimming”. This form of crime is difficult as it requires additional hardware and physical access to the card reader and it is difficult to carry out this type of theft on a large scale.
Point-of-sale (PUS) malware is specially crafted malicious software written to search for, collect and export credit card cardholder data.
Random-access memory (RAM) is a form of computer data storage. A random-access memory device allows binary data to be read and written in computers in a data processing capacity. This malware targets this Random-access memory (RAM) by recognizing Card holder data (CHD) in memory and scraping the contents of credit card data as it passes through memory buffers on an infected machine.
Once a Point-of-sale computer is compromised the malware is installed remotely. Point-of-sale memory RAM scrapers steal credit card payment data or more specifically credit card track one and track two data—from the Random-access memory (RAM) of Point-of Sale (POS) systems.
This is generally accomplished, wherein the attackers must first identify points in the Random-access memory (RAM) on a compromised computer where the Card Holder data (CHD) is unencrypted or passing in memory in plain readable text.
Once this area of Random-access memory (RAM) has been pinpointed, the attackers will typically deploy one of three types of crimeware malware. These types of crimeware malware typically are key stroke loggers, memory dumpers and network sniffers.
Point of sale malware performs two specific functions when installed as a driver or as a system process and can operate at the kernel level scraping every memory page available, specifically process enumeration and memory dumping—enumerating all processes of interest and writing memory into a buffer or dumping into a file for later theft.
The malware further reads memory and performs a track data search—sorting through the buffered/dumped memory for card information which contains a specific format (card track data delimiters and separators as well as a track Luhn algorithm search.
Memory scraping can be done in Windows using EnumProcesses (which retrieves the process identifier for each process object in the system) to enumerate processes on the system looking for specific processes of interest by name (such as pos.exe, micros.exe, etc.) and using the associated process ID (PID) with the OpenProcess (which opens an existing local process object) name to obtain a handle.
The process can be opened with PROCESS_QUERY_INFORMATION and PROCESS_VM_READ in order to access the target process resources.
VirtualQueryEx retrieves information about a range of pages within the virtual address space of a specified process on the handle can obtain all memory regions and the contents can be copied and scanned from all non-image regions with ReadProcessMemory reads data from an area of memory in a specified process. The entire area to be read must be accessible or the operation fails. This unique combination of functions is found in the import tables of these classes of memory scraping point of sale malware.
Protected processes as introduced in the Windows operating system control the rights at the kernel level that can be granted to thread and process objects when opened or duplicated by user-mode processes. Unfortunately, this is an all-or-nothing deal that restricts all but a set of limited query accesses.
Memory scraping locates sensitive data in an application by scanning for signs of the intended data and copying it. This works because decrypted or raw data exists temporarily in memory even when it might be stored or transmitted securely.